On Aug. 29, the Traverse City, Mich.-based Ponemon Institute and the San Diego-based A10 Networks released a study, “Uncovering Hidden Threats Within Network Traffic,” produced for the Ponemon Institute by A10 Networks. The authors of the study have found that “The risk to financial services, healthcare and other industries stems from growing reliance on encryption technology.” Among the study’s key findings: 80 percent off organizations were victims of cyber attacks during past year; nearly half of cyber attacks used malware hidden in encrypted traffic to evade detection; and 75 percent of IT experts surveyed admit malware could steal employee credentials from their networks.
The two organizations surveyed 1,023 “IT and IT security practitioners in North America and Europe, highlighting the overwhelming challenges these professionals face in preventing and detecting attacks on encrypted traffic in and out of their organizations’ networks.”
Key statements from the survey’s summary include the following:
> “Half of all known cyberattacks used SSL encryption to evade detection in the last 12 months.”
> “The inability to inspect encrypted traffic will compromise capacity to meet existing and future compliance requirements.”
> “Most don’t believe their organization can properly inspect SLL traffic.”
> “Encryption of inbound and outbound web traffic will continue to increase.”
> “Use of SSL encryption to mask malicious activity will parallel this growth.”
> “Three common barriers to implementing proper SSL inspection are a lack of security tools, insufficient resources, and performance degradation.”
> “SSL bandwidth requirements diminish the effectiveness of existing security controls.”
Meanwhile, the report notes, “More than half of all respondents (62 percent) admit that their organization does not currently decrypt Web traffic. Why?” For 45 percent, the reason is a lack of insufficient resources; another 45 percent cited performance degradation. Still, among the 62 percent of respondents who said that their organization does not currently decrypt Web traffic, 51 percent said they planned to do so within the next 12 months.
Another challenge cited by respondents from across industries, is around inspection strategies. The survey found that “For organizations that are inspecting decrypted traffic, most haven’t found a seamless or cost-effective manner of implementing the process. Many,” the report noted, “are using a blend of commercial-grade solutions, in-house technology, and labor-intensive manual inspection.”
The survey found that, among those organizations that are inspecting decrypted traffic:
> 53 percent are making use of a commercial solution with Deep Packet Inspection (DPI)
> 44 percent are using a commercial solution that utilizes big data
> 35 percent are engaged in homegrown traffic monitoring
> 28 percent are resorting to manual inspection
What are IT and IT security leaders looking for in potential solutions? The survey found that they want the following:
> 79 percent are looking for SSL certificate management
> 68 percent want scalability
> 63 percent are looking for compliance requirements
> 62 percent want uptime, performance and security
> 54 percent desire multi-vendor security integration
Most significantly, the report found, “Although 75 percent of survey respondents say their networks are at risk from malware hidden inside encrypted traffic, roughly two-thirds admit that their company is unprepared to detect malicious SSL traffic, leaving them vulnerable to costly data breaches and the loss of intellectual property. Among the IT professionals responding to the survey, the largest percentage work in financial services, followed by healthcare and the public sector — three industries most in need of protecting sensitive data. Moreover, the threat is expected to get worse as the volume of encrypted data traffic continues to grow, with the majority of respondents expecting network attackers to increase their use of encryption over the coming year to evade detection and bypass controls. Many companies may be caught off guard, as their security solutions collapse under the weight of tremendous SSL vulnerabilities.”
Indeed, alarmingly, 80 percent of survey respondents said that their organization had already been victims of a cyberattack within the past 12 months, with nearly half reporting that the attack had leveraged SSL traffic to evade detection, while another 15 percent were unsure about that fact.
The survey, conducted online, with online and phone-based responses, encompassed all industries, with the largest group of respondents working in the banking and financial services industry, and with 11 percent each coming from healthcare and from government.
Shortly after the study was released online, Chase Cunningham, Ph.D., director of cyberthreat operations at A10 Networks, spoke with HCI Editor-in-Chief Mark Hagland regarding the results of the survey and the study’s broader implications, especially for healthcare.
Looking at a key result of the survey underlying the study—32 percent of respondents reported being “very concerned,” 36 percent were “concerned,” 22 percent were “somewhat concerned,” and only 9 percent were “not concerned,” that encrypted communications would leave their network vulnerable to hidden threats, how do you read that result?